In the Claims 

Claims remaining in the application are as follows: 

1 . (Currently amended): A computer-implemented method comprising: 
observing communication between a plurality of devices; and 

inferring a respective state of at least one device of the plurality of devices based upon 

the observing the communication; 
the respective state of a first device of the at least one device is determined to be 

unfulfilled: 

the respective state of the first device is determined to be unfulfilled when the 
observing the communication comprises 

observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit . 

2. (Original): The method of claim 1 wherein 

the inferring is performed without sending a packet to the at least one device. 

3. (Original): The method of claim 1 wherein 

the inferring is performed without participating in the communication with the at least 
one device. 

4. (Original): The method of claim 1 wherein 

the inferring is performed only by listening to the communication with the at least one 
device. 

5. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the plurality of devices to a threat when 
the first device receives a packet and 
the respective state of the first device is unfulfilled. 
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6. (Original): The method of claim 5 further comprising: 

changing the designation for the first device to a non-threat when subsequent 
communication initiated by the first device does not violate a rule for the 
communication. 

7. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the plurality of devices to a possible threat 
when 

the communication is initiated by the first device, and 

the communication initiated by the first device violates a rule. 

8. (Original): The method of claim 7 further comprising: 

changing the designation for the first device to a non-threat when subsequent 

communication initiated by the first device does not violate a second rule for the 
communication. 

9. (Original): The method of claim 1 further comprising: 

setting a designation for a first device of the at least one device to a possible threat 

based upon a packet configuration for a packet sent by the first device as part of 
the communication. 

10. (Original): The method of claim 1 wherein 

the respective state of a first device of the at least one device is determined to be 
unknown. 

11. (Original): The method of claim 10 wherein 

the respective state of the first device is determined to be unknown when the observing 
the communication comprises 

observing that the first device fails to respond to the communication sent to the 



first device. 



12. 



(Canceled) 



13. 



(Canceled) 
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14. (Currently amended): The method of claim 1 42- wherein 

the respective state of the first device is determined to be unfulfilled when the first 
device receives an address resolution protocol request. 

15. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be used. 

16. (Original): The method of claim 1 5 wherein 

the respective state of the first device is determined to be used when the observing the 
communication comprises 

observing that the first device performs one of sending and receiving a packet. 

17. (Original): The method of claim 15 wherein 

the respective state of the first device is determined to be used when the observing the 
communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

18. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be 
virtual. 

19. (Original): The method of claim 18 wherein 

the respective state of the first device is determined to be virtual when the observing 
the communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device did not send a reply to the packet within a time 

limit. 

20. (Original): The method of claim 1 wherein 

the respective state of a first device of the plurality of devices is determined to be 
automatic. 
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21 . (Original): The method of claim 20 wherein 

the respective state of the first device is determined to be automatic when 

an automatic reply is programmed to be sent to a second address when the first 
device receives a packet from the second address. 

22. (Original): The method of claim 1 wherein 

the respective state of the first device is determined to be omitted. 

23. (Original): The method of claim 22 wherein 

the respective state of the first device is determined to be omitted when 

the observing is programmed to omit communication with the first device from 
the observing. 

24. (Original): The method of claim 1 further comprising: 

initializing the respective state of at least one device of the plurality of devices to 
unknown prior to the observing. 

25. (Original): The method of claim 1 wherein 

the plurality of devices communicates via a segment of a network. 

26. (Original): The method of claim 1 further comprising: 

maintaining the respective state for one device of the at least one device in a storage 
area. 

27. (Original): The method of claim 1 wherein 

storing information about at least one packet of a plurality of packets communicated 
between the plurality of devices. 

28. (Original): The method of claim 27 wherein 

the information comprises a respective source address and a respective destination 
address for each packet of the plurality of packets. 

29. (Original): The method of claim 27 wherein 

the information comprises a protocol for each packet of the plurality of packets. 
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30. (Original): The method of claim 27 wherein 

the information comprises a time that each packet of the plurality of packets was sent. 

31 . (Currently amended): A processing system comprising: 
tang i b le comput e r - r e adab le m e d i um e ncoded w i th : 

observing means for observing communication between a plurality of devices; 
and 

inferring means for inferring a respective state of at least one device of the 

plurality of devices based upon the observing the communication; 
determining means for determining that the respective state of the first device is 
unfulfilled when the observing the communication comprises 
observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 
protocol request prior to expiration of a time limit . 

32. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e d i um e ncod e d w i th : 

determining means for determining that the respective state is unknown when the 
observing the communication comprises 

observing that the first device fails to respond to the communication sent to the 
first device. 

33. (Canceled) 

34. (Currently amended): The system of claim 31 further comprising: 
tang i b l e computer readab l e med i um oncodod w i th : 

determining means for determining that the respective state of the first device is 

unfulfilled when the first device receives an address resolution protocol request. 
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35. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e dium e ncod e d w i th : 

determining means for determining that the respective state of the first device is used 
when the observing the communication comprises 

observing that the first device performs one of sending and receiving a packet. 

36. (Currently amended): The system of claim 31 further comprising: 
tang i b l e computer roadab l o med i um oncodod w i th : 

determining means for determining that the respective state of the first device is used 
when the observing the communication comprises 

observing that the first device received a packet when the respective state for 

the first device wais unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

37. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e d i um e ncod e d w i th : 

determining means for determining that the respective state of a first device of the 

plurality of devices is virtual when the observing the communication comprises 
observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a time 

limit. 

38. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r - r e adab le m e d i um e ncod e d w i th : 

determining means for determining that the respective state of the first device is 
automatic when 

an automatic reply is programmed to be sent to a second address when the first 
device receives a packet from the second address. 
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39. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e d i um e ncod e d w i th : 

determining means for determining that the respective state of the first device is 
omitted when 

the observing is programmed to omit communication with the first device from 
the observing. 

40. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e d i um e ncod e d w i th : 

initializing means for initializing the respective state of at least one device of the 
plurality of devices to unknown prior to the observing. 

41 . (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r - r e adab le m e d i um e ncoded w i th : 

maintaining means for maintaining the respective state for one device of the at least 
one device in a storage area. 

42. (Currently amended): The system of claim 31 further comprising: 
tang i b le comput e r r e adab le m e d i um e ncoded w i th : 

storing means for storing information about at least one packet of a plurality of packets 
communicated between the plurality of devices. 

43. (Currently amended): A system comprising: 
tang i b le comput e r r e adab le m e d i um e ncod e d w i th: 

an observing module configured to observe communication between a plurality of 
devices; and 

an inferring module configured to infer a respective state of at least one device of the 
plurality of devices based upon the observing the communication: 

a determining module configured to determine that the respective state of the first 
device is unfulfilled when the observing the communication comprises 
observing an address resolution protocol request comprising a destination 
address for the first device, and 
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observing that the first device does not respond to the address resolution 
protocol request prior to expiration of a time limit; and 
a processor configured to interpret the observing module, inferring module, and 
determining module . 

44. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

the a determining module is further configured to determine that the respective state 
is unknown when the observing the communication comprises 
observing that the first device fails to respond to the communication sent to 
the first device. 

45. (Canceled) 

46. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

the a determining module is further configured to determine that the respective state 
of the first device is unfulfilled when the first device receives an address 
resolution protocol request. 

47. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d with : 

the a determining module is further configured to determine that the respective state 
of the first device is used when the observing the communication comprises 
observing that the first device performs one of sending and receiving a 
packet. 

48. (Currently amended): The system of claim 43 whoro i n the computer readab l e 
med i um i s further comprising oncodod w i th : 

the a determining module is further configured to determine that the respective state 
of the first device is used when the observing the communication comprises 
observing that the first device received a packet when the respective state for 
the first device wais unfulfilled, and 
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observing that the first device sent a reply to the packet within a time limit. 

49. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

the a determining module is further configured to determine that the respective state 
of a first device of the plurality of devices is virtual when the observing the 
communication comprises 

observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a 

time limit. 

50. (Currently amended): The system of claim 43 wh e r ei n th e comput e r readab le 
m e d i um i s further comprising e ncod e d w i th : 

the a determining module is further configured to determine that the respective state 
of the first device is automatic when 

an automatic reply is programmed to be sent to a second address when the 
first device receives a packet from the second address. 

51 . (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

the a determining module is further configured to determine that the respective state 
of the first device is omitted when 

the observing is programmed to omit communication with the first device 
from the observing. 

52. (Currently amended): The system of claim 43 whoro i n the computer readab l e 
med i um i s further comprising oncodod w i th : 

an initializing module configured to initialize the respective state of at least one 
device of the plurality of devices to unknown prior to the observing. 
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53. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

a maintaining module configured to maintain the respective state for one device of 
the at least one device in a storage area. 

54. (Currently amended): The system of claim 43 wh e r ei n th e comput e r r e adab le 
m e d i um i s further comprising e ncod e d w i th : 

a storing module configured to store information about at least one packet of a 
plurality of packets communicated between the plurality of devices. 

55. (Currently amended): A n article of manufacture comprising: 

tang i b le computer-readable medium encoded with computer interpretable instructions 
embodied therein a comput e r program compr i s i ng including : 
observing instructions configured to cause a processor to observe communication 

between a plurality of devices; and 
inferring instructions configured to cause the processor to infer a respective state of 
at least one device of the plurality of devices based upon the observing the 
communication: 

determining instructions configured to cause the processor to determine that the 
respective state of the first device is unfulfilled when the observing the 
communication comprises 

observing an address resolution protocol request comprising a destination 

address for the first device, and 
observing that the first device does not respond to the address resolution 

protocol request prior to expiration of a time limit . 

56. (Currently amended): The article of manufacture computor roadab l o mod i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state is unknown when the observing the communication 
comprises 

-Page 11 Of 17- Serial No. 10/676,541 

September 11, 2008 



observing that the first device fails to respond to the communication sent to 
the first device. 

57. (Canceled) 

58. (Currently amended): The article of manufacture comput e r - r e adab le m e d i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of the first device is unfulfilled when the first device 
receives an address resolution protocol request. 

59. (Currently amended): The article of manufacture comput e r r e adab le m e d i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of the first device is used when the observing the 
communication comprises 
observing that the first device performs one of sending and receiving a packet. 

60. (Currently amended): The article of manufacture computer roadab l o med i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of the first device is used when the observing the 
communication comprises 

observing that the first device received a packet when the respective state for 

the first device wais unfulfilled, and 
observing that the first device sent a reply to the packet within a time limit. 

61. (Currently amended): The article of manufacture computer roadab l o med i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of a first device of the plurality of devices is virtual 
when the observing the communication comprises 
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observing that the first device received a packet when the respective state for 

the first device was unfulfilled, and 
observing that the first device failed to send a reply to the packet within a 

time limit. 

62. (Currently amended): The article of manufacture comput e r - r e adab le m e d i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of the first device is automatic when 
an automatic reply is programmed to be sent to a second address when the 
first device receives a packet from the second address. 

63. (Currently amended): The article of manufacture comput e r r e adab le m e d i um of 
claim 55 further comprising: 

the determining instructions further configured to cause the processor to determine 
that the respective state of the first device is omitted when 
the observing is programmed to omit communication with the first device 
from the observing. 

64. (Currently amended): The article of manufacture comput e r r e adab le m e d i um of 
claim 55 further comprising: 

initializing instructions configured to cause the processor to initialize the respective 
state of at least one device of the plurality of devices to unknown prior to the 
observing. 

65. (Currently amended): The article of manufacture comput e r - r e adab le m e d i um of 
claim 55 further comprising: 

maintaining instructions configured to cause the processor to maintain the 

respective state for one device of the at least one device in a storage area. 



-Page 13 Of 17- Serial No. 10/676,541 

September 11, 2008 



66. (Currently amended): The article of manufacture comput e r r e adab le m e d i um of 
claim 55 further comprising: 

storing instructions configured to cause the processor to store information about at 
least one packet of a plurality of packets communicated between the plurality 
of devices. 
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